New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compiler Hardening Guide should include -ftrivial-auto-var-init #245
Comments
See also: performance regression in systemd due to this option: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523 |
There's nuance as to whether or not one should use
But |
And yet both It's a gives a dangerous feeling of false safety, which results in less portable code when applied incorrectly during development. It's only a somewhat reasonable choice for a release build. But dead store elimination is the only benefit you should take from it, you should still never rely on this as a "feature". In comparison, MSVC had enabled The bad part starts when QA relies heavily on tooling like valgrind / Intel Inspector to check for uninitialized memory accesses (not everyone is a developer which also renders asan a non-option), and these "helpful" compiler options just render you blind to issues you could have seen a long time ago. Not to mention that these options also have a heavy impact on the performance of these tools as well. Unlike the real The impact is even bigger when this causes errors in pre-built 3rd-party libraries to be masked, which are surprisingly often unmasked by validating an integrating application with real world data, rather than the (unfortunately often insufficient) data the application was tested against. Even when Microsoft is talking about the success story of Simple counter-example why this is a bad idea: You do TDD, and allocate your object/struct on the stack. You are rescued by MSVC style stack-zeroing, and your exhaustive test suite passes with flying flags. You followed every best practice you know about external tooling (everything short of Your library is integrated, and allocated on the heap instead. It works at first because you end up in pristine memory. It suddenly breaks at an entirely random point in time because you got placed into non-pristine memory. That also happened. More than once. Inconsistent behavior between storage classes is a trap. And in the C world, you always have to expect containers/patterns/macros which will not zero memory, even if you rerouted every |
The contraindicators brought up by @Ext3h and @siddhesh seem to substantial enough that I would propose we do not recommend this option in the guide at this point in time, but include it in the List of Considered Compiler Options with a brief summary of Ext3h's comment. |
Has this been addressed by the C/C++ Compiler Hardening options guide? @gkunz @thomasnyman @david-a-wheeler |
Brought up during the C/C++ Compiler BP Call 2023-09.27.
The
-ftrivial-auto-var-init=[uninitialized|pattern|zero]
option will make the compiler initialize automatic variables with either a pattern or with zeroes (depending on the chosen option argument) to increase program security by preventing uninitialized memory disclosure and use.This flag is supported since GCC 12 and Clang 8.0.
Considerations and references
-ftrivial-auto-var-init
The text was updated successfully, but these errors were encountered: